Not possible to disable new TLS extensions for TLS 1.2 connections

Amir Khassaia amir.khassaia at gmail.com
Mon Jan 21 21:29:44 UTC 2019


Thanks Xuelei,
Do you mean to create an RFE at openjdk https://bugs.openjdk.java.net/ ?



On Tue, Jan 22, 2019 at 5:02 AM Xuelei Fan <xuelei.fan at oracle.com> wrote:

> Hi Amir,
>
> I can see the problem for incompatible impl.  Would you mind submit an
> OpenJDK enhancement for a workaround?
>
> Thanks & Regards,
>
> Xuelei
> On 1/20/2019 4:10 PM, Amir Khassaia wrote:
>
> Xuelei,
>
> I have a sample socket client for the device TLS issue but its not very
> helpful as any socket client created on top of JDK will do, the last
> problem was apparent only when talking to a specific hardware device which
> refused to negotiate TLS session (I've seen several odd TLS implementations
> that were intolerant to Java changes in various ways over the years and
> compatibility could always be assured through config changes, this time
> around less so).
>
> Some of the hardware TLS stacks can range from small oddities to being
> completely broken by small changes as they can contain outdated and poorly
> implemented TLS stacks that are very sensitive so even a small change can
> break them and thats why its always important to have levers provided to
> control almost every aspect of the handshake.
>
> I have a sample in my gist (
> https://gist.github.com/amir-khassaia/04347ca88526f4b958b3326968a905c0),
> apologies its in Kotlin. When ran with java 8, 9, 10 there were no issues.
> With java 11 this worked on most devices but I've had a device at a remote
> location that was not in my control that I've had to diagnose the handshake
> failure on using java 11 it was intolerant to TLS 1.2 client hello from
> Java 11 but fine with TLS 1.1 as the new extensions are not present. It
> would be fine with TLS 1.2 client hello from Java 10 and earlier as I
> mentioned.
>
> Javax.net.debug output
> -------------------------------
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.395
> AEDT|SSLCipher.java:437|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding
> KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.433
> AEDT|ServerNameExtension.java:255|Unable to indicate server name
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433
> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension:
> server_name
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433
> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension:
> status_request
> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.443
> AEDT|SignatureScheme.java:282|Signature algorithm, ed25519, is not
> supported by the underlying providers
> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.444
> AEDT|SignatureScheme.java:282|Signature algorithm, ed448, is not supported
> by the underlying providers
> javax.net.ssl|INFO|01|main|2019-01-08 13:40:14.449
> AEDT|AlpnExtension.java:161|No available application protocols
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.449
> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension:
> application_layer_protocol_negotiation
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.450
> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension:
> status_request_v2
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.453
> AEDT|ClientHello.java:651|Produced ClientHello handshake message (
> "ClientHello": {
>   "client version"      : "TLSv1.2",
>   "random"              : "1A BA E8 FC 59 00 AB DF 9A 1A 07 94 24 7F 34 3D
> 0B D2 7D 10 72 52 54 CD 44 43 62 E8 8B 42 C6 68",
>   "session id"          : "",
>   "cipher suites"       :
> "[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023),
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027),
> TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C),
> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029),
> TLS_RSA_WITH_AES_128_CBC_SHA(0x002F)]",
>   "compression methods" : "00",
>   "extensions"          : [
>     "supported_groups (10)": {
>       "versions": [secp256r1, secp384r1, secp521r1, secp160k1]
>     },
>     "ec_point_formats (11)": {
>       "formats": [uncompressed]
>     },
>     "signature_algorithms (13)": {
>       "signature schemes": [ecdsa_secp256r1_sha256,
> ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256,
> rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256,
> rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384,
> rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224,
> ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1, rsa_md5]
>     },
>     "signature_algorithms_cert (50)": {
>       "signature schemes": [ecdsa_secp256r1_sha256,
> ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256,
> rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256,
> rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384,
> rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224,
> ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1, rsa_md5]
>     },
>     "extended_master_secret (23)": {
>       <empty>
>     },
>     "supported_versions (43)": {
>       "versions": [TLSv1.2, TLSv1.1]
>     },
>     "renegotiation_info (65,281)": {
>       "renegotiated connection": [<no renegotiated connection>]
>     }
>   ]
> }
> )
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.455
> AEDT|Alert.java:232|Received alert message (
> "Alert": {
>   "level"      : "fatal",
>   "description": "handshake_failure"
> }
> )
> javax.net.ssl|ERROR|01|main|2019-01-08 13:40:14.456
> AEDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Received fatal
> alert: handshake_failure (
> "throwable" : {
>   javax.net.ssl.SSLHandshakeException: Received fatal alert:
> handshake_failure
>   at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
>   at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>   at
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
>   at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
>   at
> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
>   at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
>   at
> java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
>   at
> java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
>   at
> java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
>   at SslSocketClient.main(SslSocketClient.kt:47)}
>
> )
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457
> AEDT|SSLSocketImpl.java:1361|close the underlying socket
> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457
> AEDT|SSLSocketImpl.java:1380|close the SSL connection (initiative)
> Exception in thread "main" javax.net.ssl.SSLHandshakeException: Received
> fatal alert: handshake_failure
> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
> at
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
> at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
> at
> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
> at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
> at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
> at
> java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
> at
> java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
> at SslSocketClient.main(SslSocketClient.kt:47)
>
>
>
>
> Wireshark TLS 1.2 Java 8 client hello
> -------------------------------------------------
> Secure Sockets Layer
>     TLSv1.2 Record Layer: Handshake Protocol: Client Hello
>         Content Type: Handshake (22)
>         Version: TLS 1.2 (0x0303)
>         Length: 157
>         Handshake Protocol: Client Hello
>             Handshake Type: Client Hello (1)
>             Length: 153
>             Version: TLS 1.2 (0x0303)
>             Random: 5c34044c709feae39585e4db8e41b0170fbf9fa428b38941...
>                 GMT Unix Time: Jan  8, 2019 13:00:44.000000000 AUS Eastern
> Daylight Time
>                 Random Bytes:
> 709feae39585e4db8e41b0170fbf9fa428b38941983ddb53...
>             Session ID Length: 0
>             Cipher Suites Length: 44
>             Cipher Suites (22 suites)
>                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> (0xc023)
>                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> (0xc027)
>                 Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
>                 Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
> (0xc025)
>                 Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
>                 Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
>                 Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
>                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
>                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
>                 Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
>                 Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
>                 Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
>                 Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
>                 Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
>                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> (0xc02b)
>                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> (0xc02f)
>                 Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
>                 Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
> (0xc02d)
>                 Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
>                 Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
>                 Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
>                 Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
>             Compression Methods Length: 1
>             Compression Methods (1 method)
>                 Compression Method: null (0)
>             Extensions Length: 68
>             Extension: supported_groups (len=22)
>                 Type: supported_groups (10)
>                 Length: 22
>                 Supported Groups List Length: 20
>                 Supported Groups (10 groups)
>                     Supported Group: secp256r1 (0x0017)
>                     Supported Group: secp384r1 (0x0018)
>                     Supported Group: secp521r1 (0x0019)
>                     Supported Group: sect283k1 (0x0009)
>                     Supported Group: sect283r1 (0x000a)
>                     Supported Group: sect409k1 (0x000b)
>                     Supported Group: sect409r1 (0x000c)
>                     Supported Group: sect571k1 (0x000d)
>                     Supported Group: sect571r1 (0x000e)
>                     Supported Group: secp256k1 (0x0016)
>             Extension: ec_point_formats (len=2)
>                 Type: ec_point_formats (11)
>                 Length: 2
>                 EC point formats Length: 1
>                 Elliptic curves point formats (1)
>                     EC point format: uncompressed (0)
>             Extension: signature_algorithms (len=28)
>                 Type: signature_algorithms (13)
>                 Length: 28
>                 Signature Hash Algorithms Length: 26
>                 Signature Hash Algorithms (13 algorithms)
>                     Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
>                         Signature Hash Algorithm Hash: SHA512 (6)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
>                         Signature Hash Algorithm Hash: SHA512 (6)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
>                         Signature Hash Algorithm Hash: SHA384 (5)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
>                         Signature Hash Algorithm Hash: SHA384 (5)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
>                         Signature Hash Algorithm Hash: SHA256 (4)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
>                         Signature Hash Algorithm Hash: SHA256 (4)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: SHA256 DSA (0x0402)
>                         Signature Hash Algorithm Hash: SHA256 (4)
>                         Signature Hash Algorithm Signature: DSA (2)
>                     Signature Algorithm: SHA224 ECDSA (0x0303)
>                         Signature Hash Algorithm Hash: SHA224 (3)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: SHA224 RSA (0x0301)
>                         Signature Hash Algorithm Hash: SHA224 (3)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: SHA224 DSA (0x0302)
>                         Signature Hash Algorithm Hash: SHA224 (3)
>                         Signature Hash Algorithm Signature: DSA (2)
>                     Signature Algorithm: ecdsa_sha1 (0x0203)
>                         Signature Hash Algorithm Hash: SHA1 (2)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
>                         Signature Hash Algorithm Hash: SHA1 (2)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: SHA1 DSA (0x0202)
>                         Signature Hash Algorithm Hash: SHA1 (2)
>                         Signature Hash Algorithm Signature: DSA (2)
>             Extension: extended_master_secret (len=0)
>                 Type: extended_master_secret (23)
>                 Length: 0
>
>
>
> Wireshark Java 11 TLS 1.2 Client hello
> ----------------------------------------------------
> Secure Sockets Layer
>     TLSv1.2 Record Layer: Handshake Protocol: Client Hello
>         Content Type: Handshake (22)
>         Version: TLS 1.2 (0x0303)
>         Length: 185
>         Handshake Protocol: Client Hello
>             Handshake Type: Client Hello (1)
>             Length: 181
>             Version: TLS 1.2 (0x0303)
>             Random: 37f32691301b6b9d45bb62c6268915819881b8ebd95f152c...
>                 GMT Unix Time: Sep 30, 1999 19:00:01.000000000 AUS Eastern
> Standard Time
>                 Random Bytes:
> 301b6b9d45bb62c6268915819881b8ebd95f152c41c7e483...
>             Session ID Length: 0
>             Cipher Suites Length: 10
>             Cipher Suites (5 suites)
>                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> (0xc023)
>                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> (0xc027)
>                 Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
>                 Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
>                 Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
>             Compression Methods Length: 1
>             Compression Methods (1 method)
>                 Compression Method: null (0)
>             Extensions Length: 130
>             Extension: supported_groups (len=10)
>                 Type: supported_groups (10)
>                 Length: 10
>                 Supported Groups List Length: 8
>                 Supported Groups (4 groups)
>                     Supported Group: secp256r1 (0x0017)
>                     Supported Group: secp384r1 (0x0018)
>                     Supported Group: secp521r1 (0x0019)
>                     Supported Group: secp160k1 (0x000f)
>             Extension: ec_point_formats (len=2)
>                 Type: ec_point_formats (11)
>                 Length: 2
>                 EC point formats Length: 1
>                 Elliptic curves point formats (1)
>                     EC point format: uncompressed (0)
>             Extension: signature_algorithms (len=42)
>                 Type: signature_algorithms (13)
>                 Length: 42
>                 Signature Hash Algorithms Length: 40
>                 Signature Hash Algorithms (20 algorithms)
>                     Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
>                         Signature Hash Algorithm Hash: SHA256 (4)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
>                         Signature Hash Algorithm Hash: SHA384 (5)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
>                         Signature Hash Algorithm Hash: SHA512 (6)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (4)
>                     Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (5)
>                     Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (6)
>                     Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (9)
>                     Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (10)
>                     Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (11)
>                     Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
>                         Signature Hash Algorithm Hash: SHA256 (4)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
>                         Signature Hash Algorithm Hash: SHA384 (5)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
>                         Signature Hash Algorithm Hash: SHA512 (6)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: SHA256 DSA (0x0402)
>                         Signature Hash Algorithm Hash: SHA256 (4)
>                         Signature Hash Algorithm Signature: DSA (2)
>                     Signature Algorithm: SHA224 ECDSA (0x0303)
>                         Signature Hash Algorithm Hash: SHA224 (3)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: SHA224 RSA (0x0301)
>                         Signature Hash Algorithm Hash: SHA224 (3)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: SHA224 DSA (0x0302)
>                         Signature Hash Algorithm Hash: SHA224 (3)
>                         Signature Hash Algorithm Signature: DSA (2)
>                     Signature Algorithm: ecdsa_sha1 (0x0203)
>                         Signature Hash Algorithm Hash: SHA1 (2)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
>                         Signature Hash Algorithm Hash: SHA1 (2)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: SHA1 DSA (0x0202)
>                         Signature Hash Algorithm Hash: SHA1 (2)
>                         Signature Hash Algorithm Signature: DSA (2)
>                     Signature Algorithm: MD5 RSA (0x0101)
>                         Signature Hash Algorithm Hash: MD5 (1)
>                         Signature Hash Algorithm Signature: RSA (1)
>             Extension: signature_algorithms_cert (len=42)
>                 Type: signature_algorithms_cert (50)
>                 Length: 42
>                 Signature Hash Algorithms Length: 40
>                 Signature Hash Algorithms (20 algorithms)
>                     Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
>                         Signature Hash Algorithm Hash: SHA256 (4)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
>                         Signature Hash Algorithm Hash: SHA384 (5)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
>                         Signature Hash Algorithm Hash: SHA512 (6)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (4)
>                     Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (5)
>                     Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (6)
>                     Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (9)
>                     Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (10)
>                     Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
>                         Signature Hash Algorithm Hash: Unknown (8)
>                         Signature Hash Algorithm Signature: Unknown (11)
>                     Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
>                         Signature Hash Algorithm Hash: SHA256 (4)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
>                         Signature Hash Algorithm Hash: SHA384 (5)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
>                         Signature Hash Algorithm Hash: SHA512 (6)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: SHA256 DSA (0x0402)
>                         Signature Hash Algorithm Hash: SHA256 (4)
>                         Signature Hash Algorithm Signature: DSA (2)
>                     Signature Algorithm: SHA224 ECDSA (0x0303)
>                         Signature Hash Algorithm Hash: SHA224 (3)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: SHA224 RSA (0x0301)
>                         Signature Hash Algorithm Hash: SHA224 (3)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: SHA224 DSA (0x0302)
>                         Signature Hash Algorithm Hash: SHA224 (3)
>                         Signature Hash Algorithm Signature: DSA (2)
>                     Signature Algorithm: ecdsa_sha1 (0x0203)
>                         Signature Hash Algorithm Hash: SHA1 (2)
>                         Signature Hash Algorithm Signature: ECDSA (3)
>                     Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
>                         Signature Hash Algorithm Hash: SHA1 (2)
>                         Signature Hash Algorithm Signature: RSA (1)
>                     Signature Algorithm: SHA1 DSA (0x0202)
>                         Signature Hash Algorithm Hash: SHA1 (2)
>                         Signature Hash Algorithm Signature: DSA (2)
>                     Signature Algorithm: MD5 RSA (0x0101)
>                         Signature Hash Algorithm Hash: MD5 (1)
>                         Signature Hash Algorithm Signature: RSA (1)
>             Extension: extended_master_secret (len=0)
>                 Type: extended_master_secret (23)
>                 Length: 0
>             Extension: supported_versions (len=5)
>                 Type: supported_versions (43)
>                 Length: 5
>                 Supported Versions length: 4
>                 Supported Version: TLS 1.2 (0x0303)
>                 Supported Version: TLS 1.1 (0x0302)
>             Extension: renegotiation_info (len=1)
>                 Type: renegotiation_info (65281)
>                 Length: 1
>                 Renegotiation Info extension
>                     Renegotiation info extension length: 0
>
>
>
>
>
>
> On Mon, Jan 21, 2019 at 10:37 AM Xuelei Fan <xuelei.fan at oracle.com> wrote:
>
>> Hi Amir,
>>
>> Normally, the extension should have no impact if it cannot be recognized
>> by the server.   It's good to be able to disable extensions if not
>> needed.   I need to evaluate the priority of it although.  Did you have a
>> simple test code that I can reproduce the issue?
>>
>> Thanks,
>>
>> Xuelei
>> On 1/20/2019 3:03 PM, Amir Khassaia wrote:
>>
>> Greetings Xuelei,
>> To follow up on this, the certificate in the connection is a red herring
>> and not important. It's actually a very unusual behaviour by
>> talk.google.com endpoint to encapsulate an error message inside a
>> certificate.
>>
>> As per the output I included:
>>
>> *"certificate" : {
>> *>*      "version"            : "v3",
>> *>*      "serial number"      : "00 90 76 89 18 E9 33 93 A0",
>> *>*      "signature algorithm": "SHA256withRSA",
>> *>*      "issuer"             : "CN=invalid2.invalid, OU="No SNI provided;
>> *>* please fix your client."",
>> *>*      "not before"         : "2015-01-01 11:00:00.000 AEDT",
>> *>*      "not  after"         : "2030-01-01 11:00:00.000 AEDT",
>> *>*      "subject"            : "CN=invalid2.invalid, OU="No SNI provided;
>> *>* please fix your client."",*
>>
>>  This certificate simply masks the TLS interoperability issue as an untrusted certificate issue.
>>
>> The fact is, some of the extensions sent by JSSE are changes to TLS 1.2
>> to support TLS 1.3, this however affects some clients adversely in practice
>> and usually JDK provides properties to turn new enhancements off and work
>> around such behaviour, for the extensions I mentioned this is not provided
>> and hence they are always sent for client sockets unless TLSv1.2 is not in
>> use.
>>
>> The impact to us is that upgrading to JDK11 means for some endpoints or
>> devices that are not 100% compliant to the spec the security is reduced as
>> we have to now work around to drop connections to these to TLSv1.1 or
>> TLS1.0 or not to move to Java 11 at all.
>>
>> My request is simply to have all of the new extensions configurable on individual basis so that they can be turned off if needed for compatibility just like most other security enhancements that were delivered in the past.
>>
>> It appears some of the issues can come from
>>
>> - inclusion of RSASSA-PSS alg in TLS 1.2 handshakes but these can
>> disabled at least
>>
>> -signature_algorithms_cert and supported_versions extensions which seem
>> to be hardcoded for TLS 1.2 (I was not able to conclusively identify which
>> of these caused my troubles)
>>
>> https://tools.ietf.org/html/rfc8446#section-1.3 does say that TLS 1.2
>> clients are affected but in an optional manner.Just today I've encountered
>> another Java 11 interop issue with TLS but this time with a physical device
>> which can have a long shelf life yet running a simple client socket
>> handshake abruptly terminates the connection upon client hello (no
>> server_hello at all), and downgrading the JRE below 11 works fine. I'm
>> including a trace for that as well: javax.net.ssl|DEBUG|01|main|2019-01-08
>> 13:40:14.395 AEDT|SSLCipher.java:437|jdk.tls.keyLimits:  entry =
>> AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
>>
>> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.433
>> AEDT|ServerNameExtension.java:255|Unable to indicate server name
>>
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433
>> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension:
>> server_name
>>
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.433
>> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension:
>> status_request
>>
>> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.443
>> AEDT|SignatureScheme.java:282|Signature algorithm, ed25519, is not
>> supported by the underlying providers
>>
>> javax.net.ssl|WARNING|01|main|2019-01-08 13:40:14.444
>> AEDT|SignatureScheme.java:282|Signature algorithm, ed448, is not supported
>> by the underlying providers
>>
>> javax.net.ssl|INFO|01|main|2019-01-08 13:40:14.449
>> AEDT|AlpnExtension.java:161|No available application protocols
>>
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.449
>> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension:
>> application_layer_protocol_negotiation
>>
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.450
>> AEDT|SSLExtensions.java:235|Ignore, context unavailable extension:
>> status_request_v2
>>
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.453
>> AEDT|ClientHello.java:651|Produced ClientHello handshake message (
>>
>> "ClientHello": {
>>
>>   "client version"      : "TLSv1.2",
>>
>>   "random"              : "1A BA E8 FC 59 00 AB DF 9A 1A 07 94 24 7F 34
>> 3D 0B D2 7D 10 72 52 54 CD 44 43 62 E8 8B 42 C6 68",
>>
>>   "session id"          : "",
>>
>>   "cipher suites"       :
>> "[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023),
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027),
>> TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C),
>> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029),
>> TLS_RSA_WITH_AES_128_CBC_SHA(0x002F)]",
>>
>>   "compression methods" : "00",
>>
>>   "extensions"          : [
>>
>>     "supported_groups (10)": {
>>
>>       "versions": [secp256r1, secp384r1, secp521r1, secp160k1]
>>
>>     },
>>
>>     "ec_point_formats (11)": {
>>
>>       "formats": [uncompressed]
>>
>>     },
>>
>>     "signature_algorithms (13)": {
>>
>>       "signature schemes": [ecdsa_secp256r1_sha256,
>> ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256,
>> rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256,
>> rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384,
>> rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224,
>> ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1, rsa_md5]
>>
>>     },
>>
>>     "signature_algorithms_cert (50)": {
>>
>>       "signature schemes": [ecdsa_secp256r1_sha256,
>> ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256,
>> rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256,
>> rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384,
>> rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224,
>> ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1, rsa_md5]
>>
>>     },
>>
>>     "extended_master_secret (23)": {
>>
>>       <empty>
>>
>>     },
>>
>>     "supported_versions (43)": {
>>
>>       "versions": [TLSv1.2, TLSv1.1]
>>
>>     },
>>
>>     "renegotiation_info (65,281)": {
>>
>>       "renegotiated connection": [<no renegotiated connection>]
>>
>>     }
>>
>>   ]
>>
>> }
>>
>> )
>>
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.455
>> AEDT|Alert.java:232|Received alert message (
>>
>> "Alert": {
>>
>>   "level"      : "fatal",
>>
>>   "description": "handshake_failure"
>>
>> }
>>
>> )
>>
>> javax.net.ssl|ERROR|01|main|2019-01-08 13:40:14.456
>> AEDT|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Received fatal
>> alert: handshake_failure (
>>
>> "throwable" : {
>>
>>   javax.net.ssl.SSLHandshakeException: Received fatal alert:
>> handshake_failure
>>
>>     at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
>>
>>     at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>>
>>     at
>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
>>
>>     at
>> java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
>>
>>     at
>> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
>>
>>     at
>> java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
>>
>>     at
>> java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
>>
>>     at
>> java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
>>
>>     at
>> java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
>>
>>     at SslSocketClient.main(SslSocketClient.kt:47)}
>>
>>
>> )
>>
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457
>> AEDT|SSLSocketImpl.java:1361|close the underlying socket
>>
>> javax.net.ssl|DEBUG|01|main|2019-01-08 13:40:14.457
>> AEDT|SSLSocketImpl.java:1380|close the SSL connection (initiative)
>>
>> Exception in thread "main" javax.net.ssl.SSLHandshakeException: Received
>> fatal alert: handshake_failure
>>
>>   at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
>>
>>   at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>>
>>   at
>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
>>
>>   at
>> java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
>>
>>   at
>> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
>>
>>   at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
>>
>>   at
>> java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
>>
>>   at
>> java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
>>
>>   at
>> java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
>>
>>   at SslSocketClient.main(SslSocketClient.kt:47)
>>
>>
>>
>>
>> I've sent my reply earlier but neither got it posted nor denied
>> notification so trying again.
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/security-dev/attachments/20190122/07bda773/attachment-0001.html>


More information about the security-dev mailing list